Daniel Pradeep | 28 Apr 13:51 2015
Picon

Is there any recommendation to use setenv?

Hi ModSec Community,


I am trying to set an incident notification from a DoS protection rule in ModSecurity. 

In one of the rules, I have used exec: to call a shell script, which works perfectly fine. However, I am trying to pull a message from the rule using setenv:, so that it can be used in the script. I followed the Reference Manual, but it returns empty value. 

Am I doing it right?

Please guide me on this.

Thanks in advance.

Regards,

/dan


--
Regards,

Daniel Pradeep

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Winfried Neessen | 27 Apr 18:38 2015

XSS in Wordpress

Hi,

here is a quick and dirty rule, for mod_sec that would block the current XSS in Wordpress
as described here: http://klikki.fi/adv/wordpress2.html

It basically blocks the request, in case the comment field is longer than 64kb.

SecRule ARGS:/^(.+\-)?comment/ " <at> gt 65536" "phase:2,deny,status:403,msg:'Comment field to big',id:'9900001',severity:'5',rev:'1.0.0',t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.policy_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"



Winni
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Reindl Harald | 27 Apr 14:44 2015
Picon

--enable-pcre-jit: segfaults Fedora 21 and roundcube 1.0.5

on Fedora 21 x86_64 mod_security 2.9.0 built with --enable-pcre-jit 
crashs every time /plugins/jqueryui/js/i18n/jquery.ui.datepicker-de.js 
from roundcube 1.0.5 is loaded
__________________________________

not sure if it's GCC 4.9 or pcre which are newer than on Fedora 20 but 
after seek the reason for random crashes over hourd at PHP/Apache side 
it turend out that it practically happens only with that file and 
without mod_securiyt or disable pcre-jit all is fine
__________________________________

[Mon Apr 27 11:09:23.113259 2015] [core:notice] [pid 118704] AH00052: 
child pid 118706 exit signal Segmentation fault (11)

open("/dev/urandom", O_RDONLY)          = 13
read(13,

"\200\376%\23\240\236\n9\373\210\243%i\223\367J\210\271\177\26\207\331\177\r\372RB\342\2223\352="..., 
64) = 64
close(13)                               = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) 
= 0x7fcf70b39000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) 
= 0x7fcf70b37000
munmap(0x7fcf70b37000, 8192)            = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x8} ---
chdir("/etc/httpd")                     = 0
rt_sigaction(SIGSEGV, {SIG_DFL, [], SA_RESTORER|SA_INTERRUPT, 
0x7fcf754c70d0}, {SIG_DFL, [], SA_RESTORER|SA_RESETHAND, 
0x7fcf754c70d0}, 8) = 0
kill(118706, SIGSEGV)                   = 0
rt_sigreturn({mask=[]})                 = 32
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_USER, si_pid=118706, 
si_uid=48} ---
+++ killed by SIGSEGV +++

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Santiago Ingold | 24 Apr 20:41 2015
Picon

Problem with default config's "SecRule" rules on ModSecurity + NGINX,

I've installed Nginx (1.8.0) + ModSecurity (2.9.0) from source on OpenBSD (5.6), without problems.


But when I try to configure modsecurity with the default config, upon starting nginx I get:


"apr_table_copy: t's pool is not an ancestor of p Abort Trap (Core Dumped)"


AFAICT the problem lies in the modsecurity.conf rules that start with "SecRule", if I comment this lines out nginx starts without problems.


I've also installed the OWASP CRS (only base_rules), and didn't have any problems with the "SecRule" rules.


Any ideas on what I may be doing wrong?


Thanks in advance!


## Notes ##


I've installed PCRE (8.35), Apache (2.2.27), and libxml (2.9.1), so that I could compile ModSecurity.


I compiled ModSecurity in the recommended way:


./configure --enable-standalone-module --disable-mlogc

make tests

make

And compiled Nginx with ModSecurity:


./configure --add-module=../mod_security/nginx/modsecurity \

            --sbin-path=/usr/local/sbin/nginx \

            --conf-path=/etc/nginx/nginx.conf \

            --pid-path=/var/run/nginx.pid \

            --with-http_ssl_module \ 

            --http-log-path=/var/log/nginx.log \ 

            --error-log-path=/var/log/nginx-error.log \ 

            --http-fastcgi-temp-path=/var/tmp/fastcgi_tmp \ 

            --http-proxy-temp-path=/var/tmp/proxy_tmp \ 

            --http-client-body-temp-path=/var/tmp/client_body_temp \ 

            --with-http_stub_status_module \ 

            --user=www --group=www

make

sudo make install

My nginx configuration is 

location / { 

       ModSecurityEnabled on; 

       ModSecurityConfig modsecurity.conf;

       proxy_set_header Host $host;

       proxy_set_header X-Real-IP $remote_addr;

       proxy_pass http://192.168.1.21;

       proxy_read_timeout 180s;

   }

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Morris Taylor | 16 Apr 06:14 2015

Detecting MS15-034 attack

Dear All,

    Has anyone wrote the customized rule for detecting the attacks
    focused on MS15-034 vulnerability? It seems to be impossible to
    directly compare the first byte with last byte and block the request
    when last byte is less than first byte, where the integer overflow
    may also occurred inside mod security..Looking for advices for
    writing the rule to block the malicious request targeted MS15-034
    vulnerability. Thanks!.

--

-- 
BR, Morris

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gaurav Agarwal | 15 Apr 09:30 2015
Picon

Testing ModSecurity ?

Dear fellow experts,

Is there any open-source testing framework available to test all the rules provided by ModSecurity?

Really don't want to write a script to test all the rules individually :(.

Thanks,
Gaurav
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Latimer, Jeff | 15 Apr 03:06 2015
Picon

Modsecurity IIS - Slow HTTP Post

I am running Modsecurity 2.8.0 on a Windows 2008 R2 server with IIS 7.5.

 

An attacker ran a slow HTTP Post attack against a site and it hung the application pool rendering the site unresponsive. I replicated the behavior using Switchblade 4.01 (http://www.proactiverisk.com/switchblade/). If I hit the site with modsecurity installed it hangs, if i uninstall modsecurity the site handles the Slow HTTP POST with ease.

 

Has anyone else experienced this.

 

Possibly of note I set the SecStreamInBodyInspection On directive as per https://github.com/SpiderLabs/ModSecurity/issues/562

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Jean Renaud | 13 Apr 12:49 2015
Picon

White-listing specific Rule for Specific domain name on Shared hosting

Hi everybody,

Let's say I'm the owner of a shared hosting company (i'm not, but let's say i am).  I have several customers sharing the same IP, for example "123456foo.com" and "123456bar.com".

One of them, 123456foo.com, have an html editor on their web site, but having issue because mod_security blocks some html tags.  So they would like this rule to be disabled.

Is there some way of disablig a specific rule for a specific domain name on a shared IP ?  For sure, we cannot disable the rule for the IP itself because the other customer will not be protected anymore...

I've seen in the documentation that the SERVER_NAME variable will show the server name, so "123456foo.com", but this could be spoofed. But how can a spoofed request header reach the customer if the real server name is needed (since this is the only way because of the shared ip) ?

Maybe we should white-list the php file the customer is using ?  For example, white-listing "\home\123456foo\public_html\htmleditor.php" for one specific rule ?

Thanks.
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Phil Daws | 9 Apr 16:12 2015
Picon

Modsecurity & NGINX

Hello:

we are switching from Apache to NGINX and evaluating the use of ModSec; so far so good.  What we have found
though is that previously the Apache error logs would show the rule numbers that modsecurity triggered
on.  With NGINX we are not seeing those at all ?  Probably goofed something in the configuration so any help
appreciated please.

Thank you.
(null)
(null)

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Jonathan Snowe | 9 Apr 08:52 2015
Picon

XML DTD

Hi guys,

I'm currently working on a Web Service gateway (dealing with SOAP requests) powered by ModSecurity and I need to filter some  attack types (SQLi, XXE, XML bomb etc)
I am working with Modsecurity 2.7.3 on CentOS 6.6.
I already implemented some personal rules and the CRS ruleset for SQLi, and it works nice.

Now I want to deal with XXE and XML bombs. I think CRS does not handle these attacks, so I have to write them myself.
I noticed these 2 attacks use DTD references, so I tried different things:

- XSD schema validation. I can't get it working, it may be my XSD schemas, I tried different generators but none seems effective. I keep having some parsing errors and this solution doesn't sound very handy to me.
- REQUEST_BODY parsing to match DTD references (<!DOCTYPE, ENTITY...). From what I read the REQUEST_BODY variable is not filled when XML processor has matched so I tried to fill it by adding ctl:forceRequestBodyVariable, but it doesn't seem to be better.

I don't know if you guys know how to solve these problems or have better ideas to filter these attacks.

Thank you,

--
Jon.
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Swonk, Glenn | 9 Apr 01:45 2015

Problem enabling ModSecurity in IIS

I have installed the x64 version on a Win7 (x64) system and am not able to process the rules in IIS (7.5).

 

The event log indicates that the ModSecurity module has been loaded (several lines of status).

 

However, after I added the following rule (modsecurity.conf) and attempt to exercise the rule, nothing happens.

 

   SecRule REQUEST_URI|ARGS|REQUEST_BODY "zzz" "phase:1,log,deny,status:503,id:1"

 

The Web.Config file has the following entry:

 

   <ModSecurity enabled="true" configFile="C:\Program Files\ModSecurity IIS\modsecurity_iis.conf" />

 

Any suggestions on how to troubleshoot the installation/configuration?

 

Thanks,

glenn

________________________________

This message may contain confidential information. If you are not the intended recipient of this e-mail, do not disseminate, distribute or copy this e-mail and delete this e-mail from your system.
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane